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SUBJECT:  Comments  on  Draft  Report  on  Audit  of  Overseas  Laptop 
Computer  Inventory  Controls  and  Security  Management  ( AUD/SI-10-08 ) 

REF:  A)  6 NOV  2009  MEMORANDUM  FROM  OIG  HAROLD  W.  GEISEL  TO 
AMBASSADOR,  U.S.  EMBASSY  BOGOTA 

B)  DRAFT  REPORT  ON  AUDIT  OF  OVERSEAS  LAPTOP  COMPUTER  INVENTORY 
CONTROLS  AND  SECURITY  MANAGEMENT  (AUD/SI-10-08) 

1.1.  Following  is  Embassy  Bogota  comments  on  the  draft  report  and 
information  on  actions  taken  for  the  seven  recommendations  (Nos.  2, 
4,  7,  9,  11,  13  and  15)  that  require  Post's  attention  per  Ref  A. 


12.  OIG  Recommendation  2.  OIG  recommends  that  Embassies  Bogota, 
Mexico  City,  Rome,  and  Vienna  require  the  Information  Management 
Officer  and  the  General  Services  Officer  to  ensure  that  all  laptops 
are  properly  entered  into  the  post  inventory  system  and 
periodically  reconciled  to  manual  records. 


Agree.  Per  the  draft  OIG  report,  ref  B,  IMO  and  GSO  will  ensure 
that  NAS  procured  laptops  and  RSO  procured  laptops  are  entered  in 
ILMS  even  when  the  laptops  are  procured  outside  of  normal  Embassy 
procurement  channels.  IMO  & GSO  will  ensure  that  all  NAS  and  RSO 
personnel  understand  Post's  policies.  IMO  has  taken  over  the 
management  of  NAS  laptop  inventory  to  ensure  all  NAS  laptops  are 
properly  inventoried. 


13.  OIG  Recommendation  4.  OIG  recommends  that  Embassies  Bogota  and 
Mexico  City  require  the  Information  Management  Officer  to  submit 
the  results  of  the  next  physical  inventory  of  laptop  computers, 
along  with  the  accompanying  reconciliation  of  the  official 
inventory  with  the  Information  Management  Officer's  unofficial 
inventory,  to  the  Bureau  of  Information  Resource  Management  and  the 
Office  of  Inspector  General. 


Agree.  GSO  and  IRM  will  match  laptop  inventories  on  a quarterly 
basis  and  ensure  all  laptops,  however  or  by  whoever  procured  are 
entered  into  the  ILMS  inventory.  IMO  is  now  responsible  for 
complete  management  of  all  State  Department  laptops. 


14.  OIG  Recommendation  7.  OIG  recommends  that  Embassies  Bogota, 
Mexico  City,  Rome,  and  Vienna  require  the  Information  Management 
Officer  to  ensure  compliance  with  laptop  loan  out  procedures  and 
the  proper  preparation  of  supporting  documentation. 


Agree.  IMO  will  assure  that  per  the  OIG  draft  report,  ref  B,  since 
"Most  of  the  documents  were  in  the  NAS,  where  officials  said  that 
they  were  not  aware  of  the  requirement  to  have  authorizing 
Signatures."  NAS  officials  are  aware  of  the  requirement.  Ref  B 
also  states  that  "OIG  informed  the  NAS  chief  that  all  laptop  loans 


required  a supervisory  authorizing  official  to  sign  the  forms,  and 
he  agreed  to  ensure  that  this  was  done  in  the  future."  IMO  is  now 
responsible  for  all  NAS  laptops  and  will  ensure  these  laptops 
adhere  to  all  Post  and  Department  procedures. 


f.5 . OIG  Recommendation  9.  OIG  recommends  that  Embassy  Bogota 
require  the  Information  Management  Officer  and  the  General  Services 
Officer  to  investigate  the  disposition  of  each  missing  laptop  and 
prepare  the  required  documentation  as  necessary.  The  Bureau  of 
Information  Resource  Management  and  the  Office  of  the  Inspector 
General  should  then  be  notified  with  the  accompanying 
documentation . 


Agree.  Per  Ref  B "this  occurred  because  the  Embassy's  NAS  and  GSO 
did  not  follow  required  Department  procedures  for  reporting  missing 
laptop... NAS  should  have  reported  these  losses  immediately  to  the 
IMO."  This  recommendation  also  relates  back  to  recommendation  2 
where  "all  laptops  are  properly  entered  into  the  post  inventory 
system" . Once  this  occurs  IMO  can  ensure  all  laptops  are  counted 
and  missing  laptops  properly  disposed  of.  Per  Ref  B,  "During  its 
visit,  OIG  informed  NAS  and  the  GSO  of  the  need  to  immediately 
report  the  missing  laptops  to  cognizant  officials  for  appropriate 
actions... In  March  2009,  the  NAS  prepared  the  required  property 
disposal  reports  for  its  five  laptops."  IMO  will  remind  NAS  and 
GSO  of  the  reporting  requirement  for  missing  property  as  directed 
in  FAM.  IMO  is  now  responsible  for  all  laptops  so  this  issue 
should  never  recur. 


V6 . OIG  Recommendation  11.  OIG  recommends  that  Embassies  Bogota, 
Mexico  City,  Rome,  Tokyo,  and  Vienna  and  the  American  Institute  in 
Taiwan  require  the  Information  Management  Officer  to  ensure  that 
all  laptop  users  receive  the  annual  cyber  security  awareness 
briefing  and  to  maintain  documentation  to  support  that  the  briefing 
was  presented. 


Agree.  IMO  is  now  managing  the  complete  laptop  program.  Since  all 
laptop  users  will  be  subject  to  procedures  outlined  in  Ref  B there 
should  be  no  unsigned  acknowledgement  forms.  By  signing  the  form 
DS-7642  Mobil  Computing  and  Data  Storage  Request,  the  user 
acknowledges  that  the  briefing  has  been  completed. 


17 . OIG  Recommendation  13.  OIG  recommends  that  Embassy  Bogota  and 
the  American  Institute  in  Taiwan  require  the  Information  Management 
Officer  to  comply  with  the  provisions  of  the  Foreign  Affairs 
Handbook  (12  FAH-6  H-542.5-10)  for  hard  drive  disposition  and  the 
proper  preparation  of  laptop  shipping  documentation. 


Agree.  Per  Ref  B,  "During  FY  2008,  Embassy  Bogota's  NAS  disposed 
of  14  laptops  through  auction,  but  the  NAS  did  not  follow  the 
Department ' s regulation  for  the  proper 

disposition  of  hard  drives.  The  FAH  (12  FAH-6  H-542.5-10)  requires 
all  hard  drives  to  be  sent  via  classified  pouch  to  IRM  for 
disposition.  NAS  officials  said  that  the  hard  drives  had  been 
erased  with  Department-approved  software  to  remove  any  information 
prior  to  sale.  However,  all  hard  drives  must  be  sent  via  classified 
pouch  to  IRM  for  disposition.  The  NAS  officials  further  stated  that 
they  were  unaware  of  the  requirement  to  send  the  hard  drives  to  IRM 
and  that  it  was  the  NAS's  understanding  that  embassies  and  posts 
were  allowed  to  sanitize  hard  drives  and  to  destroy  them  in 
accordance  with  local  procedures . " 

IMO  is  now  managing  the  laptop  program  including  all  NAS  laptops. 
Disposition  of  all  NAS  laptops  and  hard  drives  will  comply  with  the 
provisions  of  12  FAH-6  H-542.5-10. 


1_8 . OIG  Recommendation  15.  OIG  recommends  that  Embassies  Bogota, 
Mexico  City  and  Vienna  require  the  Information  Management  Officer 
to  comply  with  Department  of  State  policy  to  encrypt  all  laptops  or 
to  obtain  waivers  when  there  is  a valid  operational  justification. 


Agree.  IMO  is  now  managing  the  laptop  program  and  all  laptops  are 
encrypted.  NAS  and  RSO  laptops  that  were  too  old  for  encryption 
have  been  disposed. 


19 . Post  appreciates  the  opportunity  to  participate  in  this 
overseas  review  and  correct  noted  deficiencies. 

BROWNFIELD 


